4.2 Obtain Senior Management Sponsorship of OCTAVE
Senior management sponsorship is the top critical success factor for information security risk evaluations. Any successful evaluation requires the time of people in the organization, and senior managers need to participate in the OCTAVE Method. If they support the process, people in the organization tend to participate actively. If senior managers do not support the process, staff support for the evaluation will dissipate quickly. People will miss workshops, and the analysis team will not be able to persuade people to attend. If people know that senior management is committed to the evaluation process, the analysis team will have the authority and backing to persuade people to attend the workshops.
What Is Sponsorship?
First, let's address what we mean by sponsorship. We use the term to imply the following:
The last item is particularly important, because an evaluation is worthless if little or nothing is done with its results and recommendations. An evaluation that goes nowhere is, in fact, worse than no evaluation at all, because participants and managers will be less inclined to do another one in the future.
Now that we've established what we mean by sponsorship, we need to think about how to get it. Although sponsorship from your organization's senior managers is a vital requirement for successful conduct of the OCTAVE Method, there is no simple formula for obtaining it. In some cases the senior managers in an organization have taken the initiative in getting the OCTAVE Method implemented in their organizations, thus guaranteeing sponsorship, but this is not typical.
Often, one person in the organization learns about the OCTAVE Method and decides to conduct an evaluation in his or her organization. We refer to that person as the champion. In order to develop senior management sponsorship of the OCTAVE Method, the champion needs to make appropriate senior managers aware of the evaluation process, the expected outcomes, and the expected time and personnel commitments. So an obvious question is, Who are the appropriate senior managers? In general, they are any individuals high enough up in the company to commit the organization and its resources to this effort. These senior managers are often chief executive officers, directors, or members of the organization's governing board.
It's Not Just an Information Technology Problem
We have seen cases in which despite strong sponsorship from the chief information officer in an organization, the organization nevertheless has trouble successfully conducting the OCTAVE Method. In such cases, broad support from the organization's business units was lacking because their personnel perceived the evaluation as only an information technology issue. For the OCTAVE Method to be effectively deployed in an organization, it also needs the support of a senior manager outside the information technology area.
The OCTAVE Method requires broad sponsorship because it requires the participation of people from both the business units and the information technology department. Staff members who work in the business lines of an organization understand the relative importance of business operations and the systems and information that support these operations. In general, they are in the best position to understand the business impact of disruption or abuse to business systems and operations and of potential mitigation actions. Information technology staff members, including information security experts, understand the design of existing systems and the impact of technology-related vulnerabilities. They are also in the best position to evaluate the trade-offs of mitigation actions when evaluating their effect on system performance. Senior managers need to be made aware that information security is not solely an information technology issue. In addition, the managers who sponsor an initiative such as the OCTAVE Method need to have the authority to commit the time of staff members from the organization's business units as well as from the information technology department.
Regulations and Standards of Due Care
Regulations are becoming more common in many industry segments these days. The Health Information Portability and Accountability Act (HIPAA) [HIPAA 98] establishes a standard of due care for information security for health care organizations, while Gramm-Leach-Bliley [Gramm 00] legislation does the same for financial organizations. Most information security standards of due care require an organization to conduct an information security risk evaluation and to manage its risks. If your organization must perform an information security risk evaluation because of regulations, bring this requirement to the attention of your organization's managers. We have seen the senior managers of organizations sponsor information security risk evaluations after learning about regulations and the requirements for compliance.
Although there are no substantial "return on investment" data available at this time with respect to security improvement activities, you can present anecdotal information to inform senior managers about the benefits of using information security risk evaluations. You can emphasize how some organizations use these evaluations as the central component of a security improvement initiative. Those organizations often view a security improvement initiative as a competitive advantage.
Conducting a Limited Evaluation
The champion in one organization decided to conduct a limited evaluation to build sponsorship for a more extensive implementation of the OCTAVE Method. He was able to recruit an analysis team and get middle-management sponsorship from one operational area. The team conducted the OCTAVE Method on the operational area and then presented the results to senior managers. This approach enabled senior managers to see what the results of the evaluation looked like and was a good way to get them interested in expanding the effort.
In the end, of course, there is no single way to assure sponsorship for conducting an evaluation like the OCTAVE Method, but the ideas presented here should start you thinking about how to build sponsorship of the OCTAVE Method in your organization. The next section examines how to select analysis team members.